ATM fraud refunds may not come quickly, if at all

In early April, A$800 vanished from my account, the result of a late-night withdrawal from a cash machine in a Sydney neighborhood I'd never been to before.

In early April, A$800 vanished from my account, the result of a late-night withdrawal from a cash machine in a Sydney neighborhood I'd never been to before.

It's a type of fraud that happens frequently: Criminals attach devices to cash machines that record the account data stored on the magnetic stripe on the back of the card, a practice known as skimming. The card's PIN (Personal Identification Number) can be spied with a secret camera or a fake number pad overlay.

As a reporter who covers computer security and fraud, I'm aware how easy it is to become a victim of skimming and how difficult it is to defend against. But I've always been more worried about how I'd get the money back than about actually being skimmed, since banks seem less inclined these days to assume liability.

Most banks in the U.K. and Australia would like you to believe they always refund stolen funds. But the reality is that a bank can easily deny a refund based on flimsy reasoning that leaves consumers with little recourse other than going to court.

Commonwealth Bank of Australia is one of the major banks in the country. It assures customers on its website that it will "guarantee to refund any fraudulent transactions that take place within five days from when you report the incident to us."

In my case, things didn't go so smoothly.

I reported the theft within a couple of hours of the transaction and answered the standard liability questions: I hadn't told anyone else my PIN, or written it on the back of the card, etc., and I asked for a refund.

Five days later, Commonwealth Bank sent me a letter saying it had closed the investigation. They explained vaguely that the transaction had been executed using my PIN. Fraud investigators never called me.

Banks would like you to believe that the use of the PIN means that you, the cardholder, performed the transaction, and are therefore liable for it. But the reasoning is flawed. The cash machine verifies only that the correct PIN was used, not that the person who entered the PIN was theactual cardholder.

Nonetheless, it can be grounds to refuse a refund. Stephen Mason, a U.K.-based barrister, has written extensively about security weaknesses and legal issues with cash cards and bank machines in the U.K. and Europe.He represented a U.K. man who took the bank Halifax to court in 2009 over alleged "phantom" withdrawals and lost.

"The banks will deny that their systems suffer from any weaknesses, placing the blame squarely on the customer," Mason wrote in a March article for Butterworths Journal of International Banking and Financial Law. And it will be up to the customer to point out to the judge that there is a series of past cases illustrating the weaknesses, he wrote.